The laptop is a Dell G15 5530 running Windows 11 Pro. I would prefer to use Device Encryption because it is simpler to implement and save the key in the User's Microsoft account. Also, when I tried turning on BitLocker Drive Encryption, there was no "Save to my Microsoft account" option. Also, using an Intel NUC running W11P, I practiced achieving my goals of having the encryption key saved in a Microsoft user account AND making Find my Device work fully. In that test attempt, Settings did not offer a Device Encryption option, whereupon I discovered that MSINFO32 reported a problem with PCR7 binding, which I luckily fixed by enabling Deep Sleep S4 & S5. THEN Device Encryption was available, so I used that option.
In the case of these two laptops MSINFO32 reports "Device Encryption Support" lists two "reasons for failed automatic device encryption":
- PCR7 binding is not supported
- Un-allowed DMA capable bus/device(s) detected
Other relevant data points:
BIOS Mode = UEFI
Secure Boot State = ON
PCR7 Configuration = Binding Not Possible
I found an article about using elevated PowerShell to further query the system. Pasted below are its results:
PS C:\Users\it-admin> Confirm-SecureBootUEFI
True
PS C:\Users\it-admin> manage-bde -protectors -get $env:systemdrive
BitLocker Drive Encryption: Configuration Tool version 10.0.22621
Copyright (C) 2013 Microsoft Corporation. All rights reserved.
Volume C: [OS]
All Key Protectors
ERROR: No key protectors found.
Lastly, for now, this doc from Microsoft says "Starting in Windows 11, version 24H2, the prerequisites of DMA and HSTI/Modern Standby are removed.", which suggests to me that the DMA-related error shouldn't apply.
Thank you.
